CBA-CDP-CFG-001

Deploy the Cloud Proxy appliance in the default management vSphere cluster.

Required to establish secure communication between the VMware Cloud Foundation instance and Cloud Assembly.

The Cloud Proxy must be able to connect to the internet through a firewall.

CBA-CDP-CFG-002

Protect the Cloud Proxy appliance by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBA-CDP-CFG-003

Place the Cloud Proxy appliance in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

CBA-CDP-CFG-004

When using two availability zones, add the Cloud Proxy appliance to the VM group of the first availability zone.

Ensures that the Cloud Proxy appliance runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the Cloud Proxy appliance.

CBA-CEP-CFG-001

Deploy the Cloud Extensibility Proxy appliance in the default management vSphere cluster.

Required to establish secure communication between the on-premise vRealize Orchestrator and Cloud Assembly.

The Cloud Extensibility Proxy must be able to communicate out to the internet through a corporate firewall.

CBA-CEP-CFG-002

Protect the Cloud Extensibility Proxy appliance by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBA-CEP-CFG-003

Place the Cloud Extensibility Proxy appliance in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

CBA-CEP-CFG-004

When using two availability zones, add the Cloud Extensibility Proxy appliance to the VM group of the first availability zone.

Ensures that the Cloud Extensibility Proxy appliance runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the Cloud Extensibility Proxy appliance.

CBA-CDP-NET-001

Place the Cloud Proxy appliance on the management VLAN.

• Places the Cloud Proxy on the same network as the VMware Cloud Foundation components that the appliance must communicate with.

• Provides a consistent deployment model forVMware Cloud services.

None.

CBA-CEP-NET-001

Place the Cloud Extensibility Proxy appliance on the management VLAN.

• Places the Cloud Extensibility Proxy on the same network as the VMware Cloud Foundation components that the appliance must communicate with.

• Provides a consistent deployment model VMware Cloud services.

None.

CBA-CDP-NET-002

Allocate statically assigned IP addresses from the management VLAN to the Cloud Proxy appliance.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

CBA-CEP-NET-002

Allocate statically assigned IP addresses from the management VLAN to the Cloud Extensibility Proxy appliance.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

CBA-CDP-NET-003

Configure forward and reverse DNS records for the Cloud Proxy appliance IP address.

Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.

• You must provide a DNS record for the appliance IP address.

• Firewalls between the appliance and the DNS servers must allow DNS traffic.

CBA-CDP-NET-004

Configure DNS servers on the Cloud Proxy appliance.

Ensures the appliance has accurate name resolution.

• DNS infrastructure services should be highly-available in the environment.

• Firewalls between the appliance and the DNS servers must allow DNS traffic.

• You must provide two or more DNS servers unless a DNS geographic load balancing is active.

CBA-CEP-NET-003

Configure forward and reverse DNS records for the Cloud Extensibility Proxy appliance IP address.

Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.

• You must provide a DNS record for the appliance IP address.

• Firewalls between the appliance and the DNS servers must allow DNS traffic.

CBA-CEP-NET-004

Configure DNS servers on the Cloud Extensibility Proxy appliance.

Ensures the appliance has accurate name resolution.

• DNS infrastructure services should be highly-available in the environment.

• Firewalls between the appliance and the DNS servers must allow DNS traffic.

• You must provide two or more DNS servers unless a DNS geographic load balancing is active.

CBA-CDP-NET-005

Configure NTP servers for the Cloud Proxy appliance.

• Ensures that the appliance has accurate time synchronization.

• Assists in the prevention of time mismatch between the appliance and dependencies.

• NTP infrastructure services should be highly-available in the environment.

• Firewalls between the appliance and the NTP servers must allow NTP traffic.

• You must provide two or more NTP servers unless an NTP geographic load balancing is active.

CBA-CEP-NET-005

Configure NTP servers for the Cloud Extensibility Proxy appliance.

• Ensures appliance has accurate time synchronization.

• Assists in the prevention of time mismatch between the appliance and dependencies.

• NTP infrastructure services should be highly-available in the environment.

• Firewalls between the appliance and the NTP servers must allow NTP traffic.

• You must provide two or more NTP servers unless an NTP geographic load balancing is active.

CBA-CDP-LCM-001

Use Cloud Assembly to apply Cloud Proxy appliance upgrades.

Cloud Assembly provides the ability to mange the life cycle management of the Cloud Proxy appliance.

None.

CBA-CEP-LCM-001

Use Cloud Assembly to apply Cloud Extensibility Proxy appliance upgrades.

Cloud Assembly provides the ability to mange the life cycle management of the Cloud Extensibility Proxy appliance.

None.

CBA-CA-CFG-001

Establish and publish a well-defined strategy, implementation, and taxonomy for the tagging of cloud resources.

Capability and constraint tags facilitates resource consumption by using the declarative nature of cloud templates to define deployment configurations.

Your strategy must account for external tags, for example, vSphere and NSX-T Data Center tags, and internal, user-defined tags, managed through Cloud Assembly.

CBA-CA-CFG-002

Apply constraint tags to the cloud template YAML structure.

To determine the deployment configuration during a provisioning operation, capabilities are matched with constraints, each expressed as tags, in cloud templates and images.

You must manage the capability tags on your cloud resources, such as cloud zones, storage and storage profiles, networks and network profiles.

CBA-CA-CFG-003

Add a vCenter Server cloud account for each VI workload domain vCenter Server instance in the VMware Cloud Foundation instance.

You integrate the vCenter Server instance for each VI workload domain with Cloud Assembly for provisioning.

You must manage the cloud account credentials and the life cycle management of the related service accounts.

CBA-CA-CFG-004

Add an NSX-T Manager cloud account for each VI workload domain NSX Manager cluster instance in the VMware Cloud Foundation instance.

You integrate the NSX Manager cluster for each VI workload domain with Cloud Assembly for provisioning.

You must manage the cloud account credentials and the life cycle management of the related service accounts.

CBA-CA-CFG-005

Create a cloud zone for each VI workload domain.

Facilitates provisioning on a specific VI workload domain.

None.

CBA-CA-CFG-006

Add tags to each cloud zone.

Ensures that deployments can be targeted to a designated cloud account region.

• You must manage the tagging of cloud zones.

• You must ensure that constraint tags are included in the cloud template YAML if a cloud account region-specific targeting is required.

CBA-CA-CFG-007

For each vSphere cluster added to a VI workload domain, add tags to the vSphere cluster.

• Ensures that, as you add new vSphere clusters to a VI workload domain, you can dynamically include compute resources for workload provisioning by adding the appropriate tags.

• Ensures that deployments can be targeted for designated clusters of the VI workload domain.

• You must manage the tagging of compute resources as you add clusters to a VI workload domain.

• You must ensure that constraint tags are included in the cloud template YAML.

• If resource pools must be activated in a VI workload domain, add tags only to the required resource pools in the VI workload domain clusters for cloud zones.

CBA-CA-CFG-008

Add a workload folder in the vCenter Server instance for each VI workload domain.

Ensures that cloud templates that do not include the folderName value are deployed in a default workload folder.

• You must add the default workload folder to all VI workload domains.

• To override the default folder, you must add logic in your cloud template YAML code to deploy cloud templates in alternative folders.

CBA-CA-CFG-009

Integrate vRealize Orchestrator to extend automation and workload life cycle management capabilities.

Facilitates extended automation and workload life cycle management capabilities.

The use of vRealize Orchestrator integration requires the Cloud Extensibility Proxy to be deployed within your VMware Cloud Foundation instance.

CBA-CA-CFG-010

Activate the Extensibility Actions On-Prem integration.

Facilitates lightweight actions through event subscriptions without the requirement for a public cloud account provider, such as Amazon Web Services Lambda or Microsoft Azure Functions.

The use of action-based extensibility requires the Cloud Extensibility Proxy to be deployed within your VMware Cloud Foundation instance.

CBA-CA-CFG-011

For each project, add one or more cloud zones based on the project requirements and allowed cloud resources.

Provides one or more cloud zones and their resources for project consumption.

None.

CBA-CA-CFG-012

For each project, set a provisioning priority for each cloud zone based on your deployment prioritization.

Prioritizes one cloud zone over another within a project. The default priority is 0 (highest priority).

You must manage the provisioning priority for each cloud zone in each project.

CBA-CA-CFG-013

For each project, set limits for the project cloud zones as required.

Sets the maximum number of workload instances and resources provisioned in the cloud zone for the project. The default limit is 0 (unlimited).

If a value greater than 0 (unlimited) is used for the instance or resource limit, you must manage the limit for each cloud zone in each project when requirements change.

CBA-CA-CFG-014

For each project, specify network, storage, and extensibility constraints that must be applied to all requests in the project.

Ensures proper placement of the workloads in a project and its cloud zones.

If the same constraint or the same constraint category is specified in both the project, for example, region:us-west-1, and the cloud template, for example, region:us-east-1, the constraint specified in the project takes precedence (region:us-west-1).

CBA-CA-CFG-015

For each project, add one or more custom properties, for example, project:foo.

Custom properties can be used for provisioning or capturing additional metadata, such as for reporting or extensibility actions.

If the same custom property is specified in both the project, for example, project:foo, and the cloud template, for example, project:bar, the property value specified in the project takes precedence (project:foo).

CBA-CA-CFG-016

For each project, add a custom naming template to be used for virtual machine names provisioned in the project.

The template provides a custom virtual machine name and does not affect the host name of the virtual machine.

The template substitutes auto-generated virtual machine names by using available properties, such as resource properties, custom properties, endpoint properties, project properties, and a random number with a specified number of digits.

You must ensure that the template generates unique names for this project and between projects.

CBA-CA-CFG-017

Create standardized flavor mappings based on a common taxonomy and deployment intent.

Provides a simple, natural language naming to define common deployment size specifications.

You must publish and communicate the updates to cloud template developers and consumers.

CBA-CA-CFG-018

For each flavor mapping, add all applicable account regions.

Provides a simple, natural language naming to define common deployment size specifications when used in a specific account region.

You must maintain the mapping for any image mapping create or update operation.

CBA-CA-CFG-019

Use the vSphere content library to synchronize machine images across VI workload domains and VMware Cloud Foundation instances.

• The vSphere content library is built into vSphere and meets all the requirements to synchronize machine images across VI workload domains and VMware Cloud Foundation instances.

• vRealize Automation can consume both Open Virtual Format (OVF) images or virtual machine templates from the vSphere content library.

• Open source solutions, such as HashiCorp Packer, can be use to build machine images in the virtual machine template and OVA formats.

• The vSphere content library permissions are connected to global permissions in the permissions hierarchy. To allow Cloud Assembly to synchronize and use images in the content library, the user and role must be applied at the global permissions level.

• You must provide storage space for machine images.

• You must ensure that the service account used for the cloud account for vCenter Server has the minimum required permissions to consume machine images from the vSphere content library.

• You must ensure that the number, size, and structure of the machine images are kept within the vSphere content library configuration maximums.

• You must ensure HTTPS communication between all VI workload domain vCenter Server instances.

• Deployment of OVF-based machine images from the vSphere content library might be slower than cloning of native vSphere templates.

• Deployment of VM template-based machine images from the vSphere content library might be impacted during host maintenance/failure or until ownership update and vRealize Automation image collection updates.

CBA-CA-CFG-020

Create standardized image mappings based on similar operating systems, functional deployment intent, and cloud zone availability.

You can create a simple taxonomy to map images to cloud templates.

You must publish and communicate the image-mapping standards and updates to cloud template developers.

CBA-CA-CFG-021

For each machine image in an image mapping, add a constraint tag, if applicable.

Refines the machine image selection in an image mapping by matching constraints.

You must manage multiple machine images in each account region based on the use of constraint tags in your organization.

CBA-CA-CFG-022

For each account region, add one or more network profiles based on network characteristics available for consumption.

You can add networks with predefined characteristics that can be consumed during a deployment process.

You must manage network profiles for each account region across VMware Cloud Foundation instances.

CBA-CA-CFG-023

For each network in a network profile, add one or more capability tags.

You use capability tags to manage the workload network placement logic during the deployment process.

You must manage capability tagging on each network profile for workflow placement during a deployment process.

CBA-CA-CFG-024

For each account region, add one or more storage profiles based on storage characteristics available for consumption.

You can add storage with defined characteristics that can be consumed during a deployment process.

You must manage storage profiles for each account region as storage is added, removed, and updated across VMware Cloud Foundation instances.

CBA-CA-CFG-025

For each storage profile, add one or more capability tags.

You use capability tags to manage the workload storage placement logic during the deployment process.

You must manage capability tagging on each storage profile for the workflow placement logic during a deployment process.

CBA-SB-CFG-001

Add a cloud template content source for each Cloud Assembly project where cloud templates are authored and released.

Provides the ability to share released cloud templates with project members or other projects.

None.

CBA-SB-CFG-002

Add an extensibility actions content source for each Cloud Assembly project where actions are authored and released.

Provides the ability to share released actions with project members.

None.

CBA-SB-CFG-003

Add a vRealize Orchestrator workflows content source for each Cloud Assembly project.

Provides the ability to share specific vRealize Orchestrator workflows with project members.

None.

CBA-SB-CFG-004

For each shared content item, customize the form based on the catalog item and user experience requirements.

You can create an intuitive user experience by using simple and discoverable forms that capture additional user inputs and in-form validations.

Requires customization of request forms per catalog item.

CBA-SB-CFG-005

Identify and apply goals for your organization and each project based on the applicability of available policy types.

By understanding how the policies are processed, you can meet organizational goals without creating an excessive number of policies.

For each policy type, you must determine the applicability and your organizational goals to design policy enforcement and scope that results in the desired effective policy.

CBA-VRO-CFG-001

Register each VI workload domain vCenter Server instance with the vRealize Orchestrator instance.

Required for communication between vRealize Orchestrator and the VI workload domain vCenter Server instances.

• When VI workload domains are added or removed, you must add or remove the vCenter Server instance in vRealize Orchestrator.

• When the service account password changes, you must run the Update a vCenter Server instance workflow with updated credentials.

CBA-IAM-SEC-001

Limit the use of local accounts for interactive or API access and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

CBA-IAM-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

CBA-IAM-SEC-003

Assign Cloud-Based Automation organization, service, and project roles to designated Active Directory users.

To provide access to Cloud-Based Automation services, you assign Active Directory users to organization and service roles.

None.

CBA-CA-SEC-001

Define a custom vCenter Server role for Cloud Assembly that has minimum privileges required to support a vCenter Server cloud account.

Cloud Assembly integrates with VI workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account.

• You must maintain the privileges required by the custom vSphere role.

• If additional VI workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.

CBA-CA-SEC-002

Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between Cloud Assembly and vCenter Server.

Provides the following access control features:

• Cloud Assembly accesses each VI workload domain vCenter Server instance with a minimum set of permissions.

• If there is a compromised account, the accessibility to the destination cloud account remains restricted.

• You can introduce an improved accountability in tracking request-response interactions between Cloud Assembly and the vCenter Server endpoint in the cloud account.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBA-CA-SEC-003

Create and assign the NSX Enterprise admin role to an Active Directory user account as a service account for each VI workload domain NSX Manager instance for application-to-application communication between Cloud Assembly and NSX-T Data Center.

Provides the following access control features:

• Cloud Assembly accesses each VI workload domain NSX Manager with the minimum set of required permission.

• If there is a compromised account, the accessibility to the destination cloud account remains restricted.

• You can introduce an improved accountability in tracking request-response interactions between Cloud Assembly and the NSX Manager endpoint in the cloud account.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBA-VRO-SEC-001

Define a custom vCenter Server role for vRealize Orchestrator that has minimum privileges required to support adding VI workload domain vCenter Server instances.

vRealize Orchestrator integrates with VI workload domain vCenter Server instances by using the minimum set of privileges required to support the vCenter Server registration.

• You must maintain the privileges required by the custom vSphere role.

• If additional VMware Cloud Foundation instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.

• vRealize Orchestrator requires the Administrator level privilege to register a vCenter Server instance and can not be a restricted account. After the addition of VI workload domain, you can update and reduce the privileges for the custom role.

CBA-VRO-SEC-002

Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between vRealize Orchestrator and vCenter Server.

Provides the following access control features:

• vRealize Orchestrator services access VI workload domain vCenter Server instances with the minimum set of required permissions.

• If there is a compromised account, the accessibility to the destination integration remains restricted.

• You can introduce an improved accountability in tracking request-response interactions between vRealize Orchestrator and the vCenter Server instances.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBA-CDP-SEC-004

Change the Cloud Proxy root password on a recurring or event-initiated schedule.

By default, the password for the Cloud Proxy root account expires every 90 days.

None.

CBA-CEP-SEC-004

Change the Cloud Extensibility Proxy root password on a recurring or event-initiated schedule.

By default, the password for the Cloud Extensibility Proxy root account expires every 365 days.

None.

CBA-CEP-SEC-002

Use a certificate authority signed certificate containing the FQDN of the Cloud Extensibility appliance.

Ensures that all communications between the components and to the externally facing browser-based UI and API are encrypted.

• Using certificates signed by a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered.

• You must manage the life cycle of the certificate.

CBA-CEP-SEC-003

Use a SHA-2 or higher algorithm for certificate signing.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2 or higher.

CBA-CEP-SEC-004

Import the certificate authority root certificate to the vRealize Orchestrator instance.

• Ensures that the certificate for each VI workload domain vCenter Server instance is trusted by the vRealize Orchestrator instance.

• Ensures that other endpoints with certificates issued from the same certificate authority, for example, NSX Manager, are trusted.

If the certificate authority certificate is reissued, you must import an updated certificate to the vRealize Orchestrator instance.